SYMBOLCOMMON_NAMEaka. SYNONYMS
win.liteduke (Back to overview)

LiteDuke

Actor(s): APT 29


According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References
2020-05-18One Night in NorfolkKevin Perlow
@online{perlow:20200518:looking:eaa7bde, author = {Kevin Perlow}, title = {{Looking Back at LiteDuke}}, date = {2020-05-18}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/looking-back-at-liteduke/}, language = {English}, urldate = {2020-05-18} } Looking Back at LiteDuke
LiteDuke
2020-03-26VMWare Carbon BlackScott Knight
@online{knight:20200326:dukes:df85f94, author = {Scott Knight}, title = {{The Dukes of Moscow}}, date = {2020-03-26}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/}, language = {English}, urldate = {2020-05-18} } The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke
Yara Rules
[TLP:WHITE] win_liteduke_auto (20210616 | Detects win.liteduke.)
rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.liteduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff7508 ff15???????? 6a00 ff7510 ff750c ff7508 }
            // n = 6, score = 200
            //   ff7508               | push                dword ptr [ebp + 8]
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   ff7508               | push                dword ptr [ebp + 8]

        $sequence_1 = { 8b4210 8945e0 8b4214 0345f8 8945e4 8b75e4 }
            // n = 6, score = 200
            //   8b4210               | mov                 eax, dword ptr [edx + 0x10]
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b4214               | mov                 eax, dword ptr [edx + 0x14]
            //   0345f8               | add                 eax, dword ptr [ebp - 8]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b75e4               | mov                 esi, dword ptr [ebp - 0x1c]

        $sequence_2 = { 8b7508 8b3d???????? f3a4 b000 aa 58 014508 }
            // n = 7, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b3d????????         |                     
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   b000                 | mov                 al, 0
            //   aa                   | stosb               byte ptr es:[edi], al
            //   58                   | pop                 eax
            //   014508               | add                 dword ptr [ebp + 8], eax

        $sequence_3 = { 83c01c 833d????????01 0f8593000000 50 6a04 6800300000 6800100000 }
            // n = 7, score = 200
            //   83c01c               | add                 eax, 0x1c
            //   833d????????01       |                     
            //   0f8593000000         | jne                 0x99
            //   50                   | push                eax
            //   6a04                 | push                4
            //   6800300000           | push                0x3000
            //   6800100000           | push                0x1000

        $sequence_4 = { ffb5f8fbffff ff15???????? 813e25537973 7535 83c60e 8d8500ffffff }
            // n = 6, score = 200
            //   ffb5f8fbffff         | push                dword ptr [ebp - 0x408]
            //   ff15????????         |                     
            //   813e25537973         | cmp                 dword ptr [esi], 0x73795325
            //   7535                 | jne                 0x37
            //   83c60e               | add                 esi, 0xe
            //   8d8500ffffff         | lea                 eax, dword ptr [ebp - 0x100]

        $sequence_5 = { 8d7308 8b7d0c f3a5 5f }
            // n = 4, score = 200
            //   8d7308               | lea                 esi, dword ptr [ebx + 8]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   5f                   | pop                 edi

        $sequence_6 = { ff15???????? 83f800 7440 50 6a34 50 ff15???????? }
            // n = 7, score = 200
            //   ff15????????         |                     
            //   83f800               | cmp                 eax, 0
            //   7440                 | je                  0x42
            //   50                   | push                eax
            //   6a34                 | push                0x34
            //   50                   | push                eax
            //   ff15????????         |                     

        $sequence_7 = { 01cf 010d???????? b803000000 aa ff05???????? 6a1a }
            // n = 6, score = 200
            //   01cf                 | add                 edi, ecx
            //   010d????????         |                     
            //   b803000000           | mov                 eax, 3
            //   aa                   | stosb               byte ptr es:[edi], al
            //   ff05????????         |                     
            //   6a1a                 | push                0x1a

        $sequence_8 = { 8b45e4 8b4ddc 09c9 747d 807c08ff00 7576 ff4ddc }
            // n = 7, score = 200
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   8b4ddc               | mov                 ecx, dword ptr [ebp - 0x24]
            //   09c9                 | or                  ecx, ecx
            //   747d                 | je                  0x7f
            //   807c08ff00           | cmp                 byte ptr [eax + ecx - 1], 0
            //   7576                 | jne                 0x78
            //   ff4ddc               | dec                 dword ptr [ebp - 0x24]

        $sequence_9 = { ff750c 50 e8???????? 83c408 83450c40 836d1040 ebe1 }
            // n = 7, score = 200
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   83450c40             | add                 dword ptr [ebp + 0xc], 0x40
            //   836d1040             | sub                 dword ptr [ebp + 0x10], 0x40
            //   ebe1                 | jmp                 0xffffffe3

    condition:
        7 of them and filesize < 1171456
}
Download all Yara Rules